I am just learning Shibboleth SP and I have run into an issue where I cannot read the NameID from the SAML Response I receive from our corporate IdP. The only "attribute" they have configured for me is the NameID which holds the username in our AD. They do not add it as an attribute, but rather in the subject. Below is the portion of the SAML response containing the NameID.
<Subject>
<NameID>XXXXXX</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="_cbedab7210959e0d00294c557c648eb5"
NotOnOrAfter="2017-05-18T21:15:24.776Z"
Recipient="https://xxxxxx.com/Shibboleth.sso/SAML2/POST"
/>
</SubjectConfirmation>
</Subject>
How can I extract this simple value? I have not found an example entry in the attribute-map.xml that seems to fit the bill.
I am using IIS 8.5 and ColdFusion.
I finally got the attribute to map using the following. In my case, I had replaced SAML:1.1 with SAML2. I assume the NameID is part of the SAML:1.1 spec.
<Attribute name="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" id="NameID">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$Name" defaultQualifiers="true"/>
</Attribute>
Related
I am using Spring 4, with Spring Security 4 to secure web-services. A normal web-service worked fine without security. My secured web-services also seemed to work great working locally and with unit testing.
We are using the SiteMinder example, which means we have authentication happenind from a remote authority. This delivers a token to the browser when we login. We pass the authentication token with a request header, and this is pulled from customerUserDetailsService. That class and methods pull the token from the header, authenticates the user against that remote authority, and we get a username. From that username, we make a DAO call to our database to get the User Details and their Roles, which in the Spring Security Context uses the roles to grant authority. This is all working fine, and we get an authenticated user and we have thier roles/grantedAuthorities.
So, as previously stated, we are now just securing web-services with spring-security.xml to secure the web-services based on the role of the user. Again, this all seemed to work fine with unit testing. We had a token for a user who did not have access to web-sites and we correctly got back a 403 error. When we used a token for a user who did have the right role, was able to execute the web-service.
Now I am trying to deploy this into a new environment, and I am not having much luck.
So, I have a spring-security.xml that looks like:
<http use-expressions="true" auto-config="false" entry-point-ref="http403EntryPoint">
<!-- Additional http configuration omitted -->
<intercept-url pattern="/records/authorizedRecords" access="hasRole('portalUser')" />
<intercept-url pattern="/records/myCode" access="hasRole('portalUser')" />
<intercept-url pattern="/users/email" access="hasRole('appAdmin')" />
<custom-filter position="PRE_AUTH_FILTER" ref="openAmFilter" />
</http>
<beans:bean id="openAmFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<beans:property name="principalRequestHeader" value="openam_token"/>
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<beans:bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService">
<beans:bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<beans:property name="userDetailsService" ref="customUserDetailsService"/>
</beans:bean>
</beans:property>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="preauthAuthProvider" />
</authentication-manager>
<beans:bean id="customUserDetailsService" class="com.agmednet.server.security.CustomUserDetailsService"></beans:bean>
<beans:bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint">
When we tried access to:
<intercept-url pattern="/users/email/*" access="hasRole('appAdmin')" />
this did not seem to match:
/rest/users/email/myemail#someemail.com
so I changed it to:
<intercept-url pattern="/rest/users/email/*" access="hasRole('appAdmin')" />
And I get this from the log.
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/rest/trials/integratedtrials'; against '/rest/users/email/*'
DEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Public object - authentication not attempted
DEBUG: org.springframework.security.web.FilterChainProxy - /rest/trials/integratedTrials reached end of additional filter chain; proceeding with original chain
DEBUG: org.springframework.security.web.access.ExceptionTranslationFilter - Chain processed normally
DEBUG: org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
At this point, I know we have an authenticated user, the username, and the roles are listed right there in the logs. We seem to find a matching URL in the spring-security.xml, the URL matches, the roles match, and now I feel we should be executing the logic behind the web-service, but I get an error message:
Apache Tomcat/8.0.30 - Error report
/services/rest/users/email/myemail#someemail.com
The requested resource is not available.
I am absolutely floored here .... unsecured web-services work great. I have to be missing something? Is it with the word "rest" in the URL? Web-services have always worked when they were unsecured. I added security and add unit tests to test this all out, and now I am unsure of what happened?
The problem is that I am an idiot!!!!
In the /WEB-INF/web.xml file I had this defined:
<servlet-mapping>
<servlet-name>springmvc</servlet-name>
<url-pattern>/api/*</url-pattern>
</servlet-mapping>
I suppose that is why when I call any RESTful web-services with:
/rest/users/email/myemail#someemail.com
it doesn't work.
But when I use:
/api/users/email/myemail#someemail.com
now it works.
Conclusion: I am an idiot!!!
I'm facing wso2 data service problem with simple query.
Expected query:
I want to use IN clause with multiple value. This is my sample query:
SELECT ORGANIZATION_ID, ORGANIZATION_NAME FROM ORGANIZATION WHERE ORGANIZATION_ID IN (?)
ORDER BY ORGANIZATION_NAME ASC
Getting error:
When i try web service using "1,2,3" value, i get javax.xml.stream.XMLStreamException error.
How can i write above query in WSO2 DSS?
Please advice me on that.
Thanks,
Eba
Refer the following data service query configuration which contains a sample input parameter of type "ARRAY" which you can effectively use to get your requirement fulfilled.
<query id="setSalaryForEmployeesQuery" useConfig="default">
<sql>update Employees set salary=:salary where employeeNumber in (:employeeNumbers)</sql>
<param name="salary" ordinal="1" paramType="SCALAR" sqlType="DOUBLE" type="IN"/>
<param name="employeeNumbers" ordinal="2" paramType="ARRAY" sqlType="INTEGER" type="IN"/>
</query>
There, if you refer the input mapping configuration named "employeeNumbers", it basically addresses the same requirement mentioned in your query.
To try this functionality, you can use the "tryIt" functionality provided with each data service(similar to other service types) and the data service request format corresponding to the aforementioned configuration would look like what's depicted below.
<p:setSalaryForEmployees xmlns:p="http://ws.wso2.org/dataservice/samples/rdbms_sample">
<!--Exactly 1 occurrence-->
<xs:salary xmlns:xs="http://ws.wso2.org/dataservice/samples/rdbms_sample">1000</xs:salary>
<!--1 or more occurrences-->
<xs:employeeNumbers xmlns:xs="http://ws.wso2.org/dataservice/samples/rdbms_sample">1011</xs:employeeNumbers>
<xs:employeeNumbers xmlns:xs="http://ws.wso2.org/dataservice/samples/rdbms_sample">1022</xs:employeeNumbers>
</p:setSalaryForEmployees>
The complete data service configuration which contains the above configuration snippet can be located in the "DSS_HOME/sample/dbs/rdbms/RDBMSSample.dbs" which resides in DSS product archive.
I'm having serious problems with creating a Web service in Visual Studio 2010 (Framework 4).
Anyway, I have to use a Oracle membership provider (I have installed "Oracle Providers for ASP.NET 4 11.2.0.2.0', which modifies the framework's machine.config), but I can not connect to the membership.
My code in web.config is as follows:
<configuration>
<connectionStrings>
<remove name="OraAspNetConString"></remove>
<add name="OraAspNetConString" connectionString="User Id=USUARIO;Password=PASSWORD;Data Source=DATABASENAME;" providerName="Oracle.DataAcces.Client"/>
</connectionStrings>
<system.web>
<membership defaultProvider="OracleMembershipProvider" userIsOnlineTimeWindow="30"/>
<roleManager defaultProvider="OracleRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName=".ASPROLES" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="All"/>
<authentication mode="None"/>
<authorization>
<allow users="*"/>
</authorization>
I also added the reference 'System.Web.ApplicationServices' to my project.
To test the connection to the membership of Oracle I have put this code in one of the OperationContract that has my web service:
MembershipUserCollection userC = Membership.GetAllUsers();
sample.StringValue += " - " + userC.Count;
bool resp = Membership.ValidateUser(id, id2);
The obtained MembershipUserCollection always appears without users. UserC.Count always equals zero.
The parameters 'id' and 'id2', username and password respectively, are used to validate (that is a poor use, I know) but always returns false.
Anybody can help me with this?
Thanks a lot.
PD: Authentication mode is 'None', I've tried with 'Forms' and still not working.
Problem solved.
I needed to put the name of the application (applicationName) on the label of the membership and role manager providers (in the file machine.config).
:-)
I'm trying to authenticate a SOAP request using WS-UsernameToken spec, but the target device is always denying access. My non-working request looks like this. (The password I'm trying to hash is system.)
<?xml version="1.0" encoding="UTF-8"?>
<Envelope xmlns="http://www.w3.org/2003/05/soap-envelope">
<Header>
<Security xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>root</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">EVpXS/7yc/vDo+ZyIg+cc0fWdMA=</Password>
<Nonce>tKUH8ab3Rokm4t6IAlgcdg9yaEw=</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2010-08-10T10:52:42Z</Created>
</UsernameToken>
</Security>
</Header>
<Body>
<SomeRequest xmlns="http://example.ns.com/foo/bar" />
</Body>
</Envelope>
What I'm looking for is a similar request example, but with authentication token that actually works. For example if you have gSOAP application that uses these token, and can generate a request and post the result here, I'd be very grateful.
The core thing is to define prefixes for namespaces and use them to fortify each and every tag - you are mixing 3 namespaces and that just doesn't fly by trying to hack defaults. It's also good to use exactly the prefixes used in the standard doc - just in case that the other side get a little sloppy.
Last but not least, it's much better to use default types for fields whenever you can - so for password you have to list the type, for the Nonce it's already Base64.
Make sure that you check that the generated token is correct before you send it via XML and don't forget that the content of wsse:Password is Base64( SHA-1 (nonce + created + password) ) and date-time in wsu:Created can easily mess you up. So once you fix prefixes and namespaces and verify that yout SHA-1 work fine without XML (just imagine you are validating the request and do the server side of SHA-1 calculation) you can also do a truial wihtout Created and even without Nonce. Oh and Nonce can have different encodings so if you really want to force another encoding you'll have to look further into wsu namespace.
<S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu= "...">
<S11:Header>
...
<wsse:Security>
<wsse:UsernameToken>
<wsse:Username>NNK</wsse:Username>
<wsse:Password Type="...#PasswordDigest">weYI3nXd8LjMNVksCKFV8t3rgHh3Rw==</wsse:Password>
<wsse:Nonce>WScqanjCEAC4mQoBE07sAQ==</wsse:Nonce>
<wsu:Created>2003-07-16T01:24:32</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
...
</S11:Header>
...
</S11:Envelope>
The Hash Password Support and Token Assertion Parameters in Metro 1.2 explains very nicely what a UsernameToken with Digest Password looks like:
Digest Password Support
The WSS 1.1 Username Token
Profile allows digest passwords to
be sent in a wsse:UsernameToken of a
SOAP message. Two more optional
elements are included in the
wsse:UsernameToken in this case:
wsse:Nonce and wsse:Created. A
nonce is a random value that the
sender creates to include in each
UsernameToken that it sends. A
creation time is added to combine
nonces to a "freshness" time period.
The Password Digest in this case is
calculated as:
Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )
This is how a UsernameToken with
Digest Password looks like:
<wsse:UsernameToken wsu:Id="uuid_faf0159a-6b13-4139-a6da-cb7b4100c10c">
<wsse:Username>Alice</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">6S3P2EWNP3lQf+9VC3emNoT57oQ=</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">YF6j8V/CAqi+1nRsGLRbuZhi</wsse:Nonce>
<wsu:Created>2008-04-28T10:02:11Z</wsu:Created>
</wsse:UsernameToken>
Check this one (Password should be password):
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-6138db82-5a4c-4bf7-915f-af7a10d9ae96">
<wsse:Username>user</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">CBb7a2itQDgxVkqYnFtggUxtuqk=</wsse:Password>
<wsse:Nonce>5ABcqPZWb6ImI2E6tob8MQ==</wsse:Nonce>
<wsu:Created>2010-06-08T07:26:50Z</wsu:Created>
</wsse:UsernameToken>
May be this post (Secure Metro JAX-WS UsernameToken Web Service with Signature, Encryption and TLS (SSL)) provides more insight. As they mentioned "Remember, unless password text or digested password is sent on a secured channel or the token is encrypted, neither password digest nor cleartext password offers no real additional security. "
I need to create a mule service that will POST data to a web service that expects name/value pairs (not xml), then process the XML response from that service. I cannot find a good example on how to prep the payload for an http POST.
Can someone provide some insight or examples?
What I have so far is (I don't know if 'PathToTransformerClass' is needed):
<service name="myService">
<inbound>
<vm:inbound-endpoint path="myService.request" synchronous="true">
<custom-transformer class="PathToTransformerClass" />
</vm:inbound-endpoint>
</inbound>
<outbound>
<pass-through-router>
<http:outbound-endpoint address="URIofWebServiceToPostTo" method="POST" synchronous="true">
<response-transformers>
<custom-transformer class="PathToClassToProcessTheResponse" />
</response-transformers>
</http:outbound-endpoint>
</pass-through-router>
</outbound>
</service>
The following might be helpful: http://comments.gmane.org/gmane.comp.java.mule.user/29342
I can't find any examples either, but it looks like the built-in HTTP transformers are
http-response-to-object-transformer A
transformer that converts an HTTP
response to a Mule Message. The
payload may be a String, stream, or
byte array.
http-response-to-string-transformer
Converts an HTTP response payload
into a string. The headers of the
response will be preserved on the
message.
object-to-http-request-transformer
This transformer will create a valid
HTTP request using the current message
and any HTTP headers set on the
current message.
message-to-http-response-transformer
This transformer will create a valid
HTTP response using the current
message and any HTTP headers set on
the current message.
object-to-http-request-transformer might be your best bet; perhaps you can create a map of key-value pairs and then convert that into URL encoded form? Not sure but hopefully this gives you some things to Google.
Are you asking about how to take XML and create key value pairs to send out via HTTP? For that you can use an XLST transformer where in the XSL you set the method output to be text.
1) Let variables=<map><entry><string>idEvent_Type</string><string>1</string></entry></map>&options=user:admin
be the Map body to post as HTTP request.
2) URL encode it (eg. using http://meyerweb.com/eric/tools/dencoder/)
which produce :
variables%3D%3Cmap%3E%3Centry%3E%3Cstring%3EidEvent_Type%3C%2Fstring%3E%3Cstring%3E1%3C%2Fstring%3E%3C%2Fentry%3E%3C%2Fmap%3E%26options%3Duser%3Aadmin
3) then create a Mule set-payload transformer :
<set-payload value="variables%3D%3Cmap%3E%3Centry%3E%3Cstring%3EidEvent_Type%3C%2Fstring%3E%3Cstring%3E1%3C%2Fstring%3E%3C%2Fentry%3E%3C%2Fmap%3E%26options%3Duser%3Aadmin
" doc:name="Set playload"/>
4) then create a Mule HTTP endpoint :
<http:outbound-endpoint exchange-pattern="request-response" host="..." port="..." path="..." user="..." password="..." contentType="application/x-www-form-urlencoded" doc:name="POSTHTTPRequest"/>
and it works
Maybe U can give a try using Object-to-http-request-transformer as this transformer will create a valid HTTP request using the message currently received and any HTTP headers set on the current message.
Have never tried it, but that is the only transformer I can get in my mind after reading ur query...hope it works.. :D